OpenSSH 3.5 has been released
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
Changes since OpenSSH 3.4:
* Improved support for Privilege Separation (Portability, Kerberos, PermitRootLogin handling).
* ssh(1) prints out all known host keys for a host if it receives an unknown host key of a different type.
* Fixed AES/Rijndael EVP integration for OpenSSL < 0.9.7 (caused problems with bounds checking patches for gcc).
* ssh-keysign(8) is disabled by default and only enabled if the
HostbasedAuthentication option is enabled in the global ssh_config(5) file.
* ssh-keysign(8) uses RSA blinding in order to avoid timing attacks against the RSA host key.
* A use-after-free bug was fixed in ssh-keysign(8). This bug broke hostbased authentication on several platforms.
* ssh-agent(1) is now installed setgid in order to avoid ptrace(2) attacks.
* ssh-agent(1) now restricts the access with getpeereid(2) (or equivalent, where available).
* sshd(8) no longer uses the ASN.1 parsing code from libcrypto when verifying RSA signatures.
* sshd(8) now sets the SSH_CONNECTION environment variable.
* Enhanced "ls" support for the sftp(1) client, including globbing and detailed listings.
* ssh(1) now always falls back to uncompressed sessions, if the server does not support compression.
* The default behavior of sshd(8) with regard to user settable environ variables has changed: the new option PermitUserEnvironment is disabled by default, see sshd_config(5).
* The default value for LoginGraceTime has been changed from 600 to 120 seconds, see sshd_config(5).
* Removed erroneous SO_LINGER handling.
[ Read more ]
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.